Client-side security is set up by either setting individual properties on the javax.xml.rpc.Stub object used for the web service method invocation or by setting properties on a client-side security descriptor object, which in turn is propagated to client-side security handlers by making it available as a stub object property. Here are examples of the two approaches:

Setting a property on the stub:

// Create endpoint reference
EndpointReferenceType endpoint = new EndpointReferenceType();
// Set address of service
String counterAddr = 
   "http://localhost:8080/wsrf/services/CounterService";
// Get handle to port 
CounterPortType port = 
   locator.getCounterPortTypePort(endpoint);
// set client authorization to self 
  ((Stub)port)._setProperty(Constants.AUTHORIZATION, 
               SelfAuthorization.getInstance());

Setting properties using a client descriptor:

// Client security descriptor file 
String CLIENT_DESC = 
   "org/globus/wsrf/samples/counter/client/client-security-config.xml"; 
// Create endpoint reference
EndpointReferenceType endpoint = new EndpointReferenceType();
// Set address of service
String counterAddr = 
   "http://localhost:8080/wsrf/services/CounterService";
// Get handle to port 
CounterPortType port = 
   locator.getCounterPortTypePort(endpoint);
//Set descriptor on Stub 
((Stub)port)._setProperty(Constants.CLIENT_DESCRIPTOR_FILE, CLIENT_DESC);

The descriptor file is described in detail in Chapter 1, Security Descriptors Introduction.

Note

	Note
If the client needs to use transport security, the following API must be used to register the Axis transport handler for `https`: import org.globus.axis.util.Util; static { Util.registerTransport(); }

If the client needs to use transport security, the following API must be used to register the Axis transport handler for https:

import org.globus.axis.util.Util;
static {
        Util.registerTransport();
    }

2. Syntax of the interface

Table 1. Client side security properties

Number	Task	Stub Configuration	Descriptor Configuration
1.	Allows for configuration of credentials for authentication.	Property: org.globus.axis.gsi.GSIConstants.GSI_CREDENTIALS Value equals the Instance of `org.ietf.jgss.GSSCredential`.	Section 1.2.1, “Configuring credentials ”
2.	Allows for configuring client-side authorization.	Property: org.globus.wsrf.security.Constants.AUTHORIZATION Value equals the Instance of `org.globus.wsrf.security.authorization.Authorization` If GSI Secure Transport or GSI Secure Conversation is used, the value should be an instance of `org.globus.gsi.gssapi.auth.Authorization`. But this translation is done automatically by the toolkit.	Refer to Section 1.2.2, “Configuring authorization mechanism ”
3.	Enable GSI Secure Conversation with specified message protection level.	1. Property: org.globus.wsrf.security.Constants.GSI_SEC_CONV Values equal one of the following: Constants.ENCRYPTION Constants.SIGNATURE 2. Property: `org.globus.wsrf.security.Constants.GSI_SEC_CONV_SECREPLY_UNNECESSARY` If the value is set to Boolean.TRUE, the GSI Secure conversation protection is not required in the reply message. By default, if the request was secured with GSI Secure Conversation, the response is also required to have the same protection. 3. Property: You can set the SOAP Actor of the GSI signed/encrypted SOAP message by using the `gssActor` property. We recommend that you not do this unless you really know what you are doing.	Refer Section 1.2.3, “Configuring GSI Secure Conversation ”.
4.	Sets the GSI delegation mode. Used for GSI Secure Conversation only. If limited or full delegation is chosen, then some form of client-side authorization needs to be done (i.e client-side authorization cannot be set to `none`).	Property: org.globus.axis.gsi.GSIConstants.GSI_MODE Value equals one of following: `GSIConstants.GSI_MODE_NO_DELEG`: No delegation is performed. `GSIConstants.GSI_MODE_LIMITED_DELEG`: Limited delegation is performed. `GSIConstants.GSI_MODE_FULL_DELEG`: Full delegation is performed.	Refer Section 1.2.3, “Configuring GSI Secure Conversation ”
5.	Enables GSI Secure Transport with some protection level.	Property: org.globus.gsi.GSIConstants.GSI_TRANSPORT Values equal one of the following: `Constants.ENCRYPTION` `Constants.SIGNATURE`	Refer Section 1.2.5, “Configuring GSI Secure Transport ”
6.	Enables anonymous authentication. This option only applies to GSI Secure Conversation and GSI Transport.	Property: org.globus.wsrf.security.Constants.GSI_ANONYMOUS Value equals one of following: Boolean.FALSE: Anonymous authentication is disabled. Boolean.TRUE: Anonymous authentication is enabled.	Refer Section 1.2.3, “Configuring GSI Secure Conversation ” and Section 1.2.5, “Configuring GSI Secure Transport ”
7.	Enable GSI Secure Message with specified message protection level.	1. Property: org.globus.wsrf.security.Constants.GSI_SEC_MSG Values equal one of the following: `Constants.ENCRYPTION` `Constants.SIGNATURE` 2. Property: `org.globus.wsrf.security.Constants.GSI_SEC_MSG_SECREPLY_UNNECESSARY` If the value is set to Boolean.TRUE, the GSI Secure Message protection is not required in the reply message. By default, if the request was secured with GSI Secure Message, the response is also required to have the same protection. 3. Property: `org.globus.wsrf.security.Constants.GSI_SEC_MSG_SINGLECERT` If the value is set to Boolean.TRUE, only a single certificate is used for the GSI Secure Message request. By default, the whole certificate chain is sent. 4. Property: You can set the SOAP Actor of the signed message using the `x509Actor` property, but we do not recommend this unless you know what you are doing.	Refer Section 1.2.4, “Configuring GSI Secure Message ”.
8.	Enable WS-Security username/password authentication.	Properties: org.globus.wsrf.security.Constants.USERNAME Value equals the username. org.globus.wsrf.security.Constants.PASSWORD Value equals the password.	Refer Section 1.2.6, “Configuring Username/Password ”
9.	Sets the credential that is used to encrypt the message (typically, the recipient's public key). Used for GSI Secure Message only.	Property: org.globus.wsrf.impl.security.authentication .Constants.PEER_SUBJECT Value equals the instance of `javax.security.auth.Subject`. The credential object needs to be wrapped in `org.globus.wsrf.impl.security.authentication.encryption` and added to the set of public credentials of the `Subject` object. For example, if `publicKeyFilename` was the file that had the recipient's public key: Subject subject = new Subject(); X509Certificate serverCert = CertUtil.loadCertificate(publicKeyFilename); EncryptionCredentials encryptionCreds = new EncryptionCredentials( new X509Certificate[] { serverCert }); subject.getPublicCredentials().add(encryptionCreds); stub._setProperty(Constants.PEER_SUBJECT, subject);	Refer Section 1.2.4, “Configuring GSI Secure Message ”
10.	Sets the trusted certificates location.	Property: org.globus.wsrf.security.TRUSTED_CERTIFICATES Value should be a comma-separated list of directories and file names.	Refer Section 1.2.7, “Configuring trusted credentials ”
11.	Sets the SAML Authorization Assertion to embed in SOAP Header.	Property: org.globus.wsrf.impl.security.authentication.Constants.SAML_AUTHZ_ASSERTION Value should be an instance of org.opensaml.SAMLAssertion.	Cannot be configured using descriptors.

Prev		Next
Framework-level Protocols	Home	Authorization domain-level interface